
Congressional 
Research Service 

Informing the legislative debate since 1914 



Cybersecurity Issues for the Bulk 
Power System 



Richard J. Campbell 

Specialist in Energy Policy 

June 10, 2015 



Congressional Research Service 

7-5700 

www.crs.gov 

R43989 



CRS REPORT 

Prepared for Members and 
Committees of Congress — 



Cybersecurity Issues for the Bulk Power System 



Summary 

In the United States, it is generally taken for granted that the electricity needed to power the U.S. 
economy is available on demand and will always be available to power our machines and devices. 
However, in recent years, new threats have materialized as new vulnerabilities have come to light, 
and a number of major concerns have emerged about the resilience and security of the nation’s 
electric power system. In particular, the cybersecurity of the electricity grid has been a focus of 
recent efforts to protect the integrity of the electric power system. 

The increasing frequency of cyber intrusions on industrial control (IC) systems of critical 
infrastructure continues to be a concern to the electric power sector. Power production and flows 
on the nation’s electricity grid are controlled remotely by a number of 1C technologies. The 
National Security Agency (NSA) reported that it has seen intrusions into IC systems by entities 
with the apparent technical capability “to take down control systems that operate U.S. power 
grids, water systems and other critical infrastructure.” 

As the grid is modernized and the Smart Grid is deployed, new intelligent technologies utilizing 
two-way communications and other digital advantages are being optimized by Internet 
connectivity. Modernization of many IC systems (in particular, the Supervisory Control and Data 
Acquisition [SCAD A] system) also has resulted in connections to the Internet. While these 
advances will improve the efficiency and performance of the grid, they also will increase its 
vulnerability to potential cyberattacks. Black Energy, Havex, and Sandworm are all recent 
examples of malware targeting SCADA systems. New devices (like smart meters) and increasing 
points of access (such as renewable electricity facilities) introduce new additional areas through 
which a potential cyberattack may be launched at the grid. 

Many cybersecurity actions are reactive to the last threat discovered. While intrusion detection is 
a priority, some experts say that mitigation of cyber threats requires a focus on attackers, not the 
attacks. Cybersecurity strategies may shift from figuring out whether a system has been 
compromised to an understanding of who authored the malicious software and why. Although 
malware intrusions may not have resulted in a significant disruption of grid operations so far, they 
still have been possible even with mandatory standards in place. The North American Electric 
Reliability Corporation’s (NERC’s) current set of standards, Critical Infrastructure Protection 
(CIP) Version 5, is moving toward active consideration of bulk electric system security needs 
rather than just compliance with minimum standards. 

Electric utilities emphasize the need for timely information sharing and advocate for liability 
protection from potential damages resulting from a major cyber event. Some observers argue that 
it is the responsibility of electric utilities to embrace security as part of their strategic business 
planning and operations. The National Electric Sector Cybersecurity Organization has identified 
six failure scenario domains intended to assist utility cybersecurity efforts. These scenarios also 
illustrate the continuing vulnerability of the grid to potential cyber and physical attacks, or a 
combination of both. 

This report highlights several areas for congressional consideration to improve grid cybersecurity. 
One issue is whether electric utilities have the resources to make the financial investment and 
recruit staff to reduce vulnerabilities. Another issue is that NERC CIP standards do not apply to 
all points of grid connection to the distribution system, and these connections still may represent 
cyber vulnerabilities. The adequacy of current standards where they do apply is also an issue. 



Congressional Research Service 



Cybersecurity Issues for the Bulk Power System 



Contents 

Introduction 1 

Grid Components and Potential Vulnerabilities 2 

Electric Utility Industrial Control Systems 3 

Supervisory Control and Data Acquisition Systems 4 

Distributed Control Systems 5 

Modernization and the Smart Grid 6 

Other Potential Vulnerabilities 8 

The Grid Is Experiencing Cyber Intrusions 9 

Mandatory Bulk Power Cybersecurity Standards 13 

Defining the Extent of FERC’s Authority over Cybersecurity 13 

Toward a Focus on Security and Not Just Compliance 14 

Government and Industry Cooperation on Grid Cybersecurity 16 

Department of Energy 16 

Department of Homeland Security 17 

National Protection and Programs Directorate 18 

Science and Technology Directorate 19 

National Institute of Standards and Technology 20 

North American Electric Reliability Corporation (NERC) 21 

Electricity Sub-Sector Coordinating Council (ESCC) 22 

Edison Electric Institute 23 

Evaluating and Improving Electricity Subsector Cybersecurity 23 

NESCO Cybersecurity Failure Scenarios 23 

Potential Mitigation of Cyber Threats 26 

Cybersecurity-Related Concerns of Electric Utilities 29 

Issues 3 1 

Selected Pending Legislation 33 

Figures 

Figure 1. Electric Power System Elements 3 

Figure 2. SCADA System General Layout 5 

Figure 3. Concept of a Smart Grid Network 7 

Figure 4. Draft List of Top Potential Failure Scenarios 25 

Figure 5. Example of a NESCO Failure Scenario Path and Its Mitigation 26 

Tables 

Table 1. Pending Legislation 114 th Congress 33 



Congressional Research Service 



Cybersecurity Issues for the Bulk Power System 



Contacts 

Author Contact Information 35 

Acknowledgments 35 



Congressional Research Service 



Cybersecurity Issues for the Bulk Power System 



Introduction 

In the United States, it is generally taken for granted that the electricity needed to power the U.S. 
economy is available on demand and will always be available to power our machines and devices. 
However, in recent years, new threats have materialized as new vulnerabilities have come to light, 
and a number of major concerns have emerged about the resilience and security of the nation’s 
electric power system. In particular, the cybersecurity 1 of the electricity grid has been a focus of 
recent efforts to protect the integrity of the electric power system. 2 

Power flows on the nation’s electricity grid are remotely controlled by a combination of older, 
legacy systems and newer control technologies. Many of these legacy technologies are analog in 
design and were not originally connected to the Internet 3 (although many are equipped with radio 
or other communications capabilities). But as the grid is modernized, the new “intelligent” 
technologies replacing them use advanced two-way communications and other digital advantages 
that likely will be optimized by Internet connectivity. While these advances will improve the 
efficiency and performance of the grid, they also potentially increase the vulnerability of the grid 
to cyberattacks. 

Cybersecurity is today, and will continue to be, a major issue and focus area for the electric power 
sector. The energy sector (i.e., electricity, natural gas, and petroleum) is one of 16 critical 
infrastructure sectors designated by the Department of Homeland Security. 4 Incidents of reported 
cyber intrusions and attacks aimed at undermining the U.S. grid appear to be increasing. 5 While 
parts of the electric power subsector have mandatory and enforceable cyber and physical security 
standards, 6 some have argued that minimum, consensus-based standards are not enough to secure 
the system. 7 Further, the electric grid is not isolated from attacks on other critical infrastructure 
sectors on which it depends (i.e., the natural gas subsector, water, and transportation), and 



1 Cybersecurity may be defined as the secure (i.e., protected from outside intrusion, corruption or other unauthorized 
access) operation of networks, computers, hardware, and software systems for business and industrial control 
processes. 

2 The Energy Independence and Security Act (EISA) of 2007 (P.L. 1 10-140) outlined requirements for “a reliable and 
secure electricity infrastructure” with regard to electric system modernization and Smart Grid development. EISA 
directed the National Institute of Standards and Technology (NIST) to develop a framework for protocols and standards 
for the Smart Grid to achieve “interoperability” of devices and systems. 

3 Analog systems can represent cybersecurity vulnerabilities, especially if these are modem-connected and the modem 
is unsecured. U.S. Department of Homeland Security, National Cyber Security Division, Recommended Practice for 
Securing Control System Modems, January 2008, https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/ 
SecuringModems.pdf. 

4 See http://www.dhs.gov/critical-infrastructure-sectors. 

5 According to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), there were 140 cyber 
incidents reported in 201 1, 197 in 2012, and 257 cyber incidents reported in 2013. Of the incidents reported in 2013, 
56% were directed at energy critical infrastructure, with most directed against electricity infrastructure. This can be 
compared with 2012, in which 41% of incidents involved energy (again, mostly electricity) facilities. See https://ics- 
cert.us-cert.gov/sites/default/files/documents/Year_In_Review_F Y2013_Final.pdf. 

6 The Federal Energy Regulatory Commission (FERC) adopted the North American Electric Reliability Corporation’s 
(NERC’s) Critical Infrastructure Protection (CIP) Version 5 standards for cybersecurity in April 2014 and subsequently 
adopted NERC CIP-014 for reliability standards addressing risks due to physical security threats and vulnerabilities in 
May 2014. See CRS Report R43604, Physical Security of the U.S. Power Grid: High-Voltage Transformer Substations, 
by Paul W. Parfomak. 

7 As will be discussed later in this report, a new set of cybersecurity standards have been revised to emphasize security 
over compliance and go into effect later this year. 



Congressional Research Service 



1 



